Publication Type
Conference Proceeding Article
Version
acceptedVersion
Publication Date
2-2022
Abstract
We present ScriptChecker, a novel browser-based framework to effectively and efficiently restrict third-party script execution according to the host web page’s directives. Different from all existing schemes functioning at the JavaScript layer, ScriptChecker holistically harnesses context separation and the browser’s security monitors to enforce on-demand access controls upon tasks executing untrusted code. The host page can flexibly assign resource-access capabilities to tasks upon their creation. Reaping the benefits of the task capability approach, ScriptChecker outperforms existing techniques in security, usability and performance. We have implemented a prototype of ScriptChecker on Chrome and rigorously evaluated its security against 1373 malicious scripts and its usability with empirical studies upon top-1000 sites. The experimental results show that its strong security strength and ease-of-use are attained at the cost of unnoticeable performance loss. It incurs about 0.2 microseconds overhead to mediate a DOM access, and 5% delay when loading popular JS graphics and utility libraries.
Discipline
Databases and Information Systems
Research Areas
Information Systems and Management
Publication
Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, California, 2022 February 27- March 3
First Page
1
Last Page
17
Publisher
Internet Society
City or Country
San Diego, California
Citation
LUO, Wu; DING, Xuhua; WU, Pengfei; ZHANG, Xiaolei; SHEN, Qingni; and WU, Zhonghai.
ScriptChecker: To tame third-party script execution with task capabilities. (2022). Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, California, 2022 February 27- March 3. 1-17.
Available at: https://ink.library.smu.edu.sg/sis_research/6872
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.